{
  "threat_severity" : "Important",
  "public_date" : "2026-02-25T14:58:56Z",
  "bugzilla" : {
    "description" : "basic-ftp: basic-ftp: File overwrite due to path traversal",
    "id" : "2442644",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2442644"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-22",
  "details" : [ "The `basic-ftp` FTP client library for Node.js contains a path traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the `downloadToDir()` method. A malicious FTP server can send directory listings with filenames containing path traversal sequences (`../`) that cause files to be written outside the intended download directory. Version 5.2.0 patches the issue.", "A flaw was found in basic-ftp, an FTP client library. A malicious FTP server can exploit a path traversal vulnerability (CWE-22) within the `downloadToDir()` method. This allows the server to send directory listings containing special sequences that trick the client into writing files to unintended locations on the system. Such an attack could lead to unauthorized file creation or modification, potentially compromising the integrity of the affected system." ],
  "statement" : "In default configurations Red Hat on products affected applications do not allow for arbitrary file overwrites. The files which may be overwritten are scoped to the active user permissions that the process is executing with.",
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-27699\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27699\nhttps://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9\nhttps://github.com/patrickjuchli/basic-ftp/releases/tag/v5.2.0\nhttps://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c" ],
  "name" : "CVE-2026-27699",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}